Copyright

2001, Miercom 410 Hightstown Road
All rights reserved Princeton Junction, NJ 08550
609-490-0200; fax 609-490-0610

www.mier.com

The leading edge in networking information



White Paper




Cisco MPLS based VPNs:
Equivalent to the security of Frame
Relay and ATM


March 30, 2001




Abstract: The purpose of this white paper is to present discussion and findings that conclude
that Cisco MPLS-based VPNs are as secure as their layer 2 counterparts such as Frame-
Relay and ATM. This document details a series of tests were carried out on a Cisco router test

bed validating that MPLS based VPNs (MPLS-VPN) provide the same security as Frame-Relay
or ATM.

ATM and Frame-Relay have a reputation in the industry as being secure foundations for
enterprise connectivity. Essential items that make ATM and Frame-Relay a secure network
were considered and tested on an MPLS-VPN.

• Address and routing separation equivalent to layer 2 models
• A service provider core network that is not visible to the outside world
• A network that is resistant to attacks

The test results show that MPLS-VPNs provide the previous features at or above the level
of a layer 2 VPN such as Frame-Relay or ATM.

As described in greater detail through out this paper a test bed of 22 Cisco routers was
used, including- two Cisco 12000 series Internet routers, two 7505s, four 7206 VXRs, five
3640s, five 2611s, and four 1750s running IOS version (12.0) and (12.1) to implement the
necessary functions to provide a stable and secure MPLS core.



Miercom 2 30 March 01
Copyright

2001, All rights reserved

Introduction

Today, business customers accept the level of security that Frame-Relay and ATM
offer as layer 2 VPNs, however they might have concerns about the level of security that

an MPLS based VPN offers. The goal of this paper is to answer those questions and
provide proof with test results that an MPLS based VPN solution is as secure as a
comparable layer 2 VPN. A basic understanding of MPLS and MPLS-VPN principles is
assumed for this paper.


Virtual Private Networks

A virtual private network (VPN) can be defined loosely as a network in which
customer connectivity amongst multiple sites is deployed on a shared infrastructure, with
the same access or security policies as a private network. As a alternative solution to
expensive leased-lines or circuit-switched infrastructures, the growth rate of virtual
private networks in the business world has been expanding.

Currently most of these VPN infrastructures are built on Frame-Relay or ATM
networks connecting customer sites via Virtual Circuits (VCs.) The hub and spoke
topologies, common of VPNs, today are being replaced by an any-to-any mesh that
increases the complexity and number of VCs needed. This increase in VCs and the
complexity that goes with them is driving the need for a more scalable VPN solution.


VPN topology today

Today VPNs are implemented using the overlay model, where the service provider
provides an enterprise customer with the ability to inter-connect many sites utilizing a
private WAN IP network. Each site requiring connectivity will receive a router that
needs to be peered through an appropriate interior gateway protocol (IGP) to at least one
head end router. The backbone here is owned by the service provider and shared between
multiple enterprise customers. So the network is not really a private network but a
Virtual Private Network.



Miercom 3 30 March 01
Copyright

2001, All rights reserved
Currently the enterprise IP network is overlaid on top of the Service Provider
backbone (figure 1); the enterprise network is the higher layer network (layer 3) while the
backbone network is the lower layer (layer 2). Both networks exist, but independently of
each other. The enterprise establishes router-to-router communication using some IGP
and the service provider views the routing information as merely more data.
















Figure 1: Overlay VPN




For an enterprise to be able to route optimally in this model, it is necessary for the
network to be fully meshed (figure 2). This means that every site must have a link to
every other site increasing the number of VCs to a total of n*(n-1)/2 where n = number of
sites. That increase in the number of VCs required also greatly increases the complexity
of the network and the routing protocol. This added complexity makes adding additional
sites painful for both the enterprise and the service provider. Traffic engineering is also
made more difficult in this model as knowledge of site-to-site traffic is necessary to
properly provision the VCs. Plainly stated this model does not scale well for large more
meshed topologies.
End-Site End-Site End-Site
Head-End
Router

Frame-Relay
or ATM

Miercom 4 30 March 01
Copyright

2001, All rights reserved



















Figure 2: Fully Meshed VPN



Peer Model

Utilizing the peer model, both the service provider and the customer use the same
network protocol. In this model the Provider Edge (PE) device is a router that directly
exchanges routing information with the CPE router. This provides the ability to simplify
the routing from the customer’s perspective, as they no longer have to peer with every
other end-site instead, only with one PE-router. Routing is now optimal between
customer’s sites, as the provider routers now know the customer’s network topology.
Also the addition of a new site is significantly simpler due to the service provider not
having to provision a whole new set of VCs.

Two implementation options existed for the peer model prior to MPLS based VPNs,
the shared router approach and the dedicated router approach. The shared router
approach is where several VPN customers share the same PE-router. This approach has to
be concerned with access control, making sure that there is no crossover between
different customer’s traffic. While the dedicated router utilizes a separate PE router for
each VPN customer, causing scalability concerns for the provider. Neither approach

allows for the use of private IP addresses (RFC 1918), as each customer would have to
have unique addressing.

A major drawback of both of these peer models is their inability to provide traffic
isolation. Once the customers are connected to the provider network they need to use
unique addressing as all routes are placed in the global routing table. Unlike layer 2
End-Site End-Site
End-Site
Head-End
Router
Frame-Relay
or ATM

Miercom 5 30 March 01
Copyright

2001, All rights reserved
based VPNs it is necessary to look at the layer 3 header to make the forwarding decision.
In the early models forwarding over the backbone was done by IP routing.


MPLS-VPN

In this VPN model, MPLS is used for forwarding packets over the backbone, and
BGP is used for distributing routes over the backbone. The method is simple for the
customer and scalable and flexible for the Service Provider. This method also allows the
Service Provider the ability to provide Internet access to these customers as well.

An MPLS-VPN is a “true peer VPN” model that performs traffic separation at Layer
3, through the use of separate IP VPN forwarding tables. MPLS-VPN enforces traffic

separation between customers by assigning a unique VRF to each customer’s VPN. This
compares to the security of a Frame-Relay or ATM network, because users in a specific
VPN cannot see traffic outside their VPN.

This is due to the fact that forwarding within the Service Provider backbone is based
on labels. These label switched paths (LSPs), setup by MPLS, begin and terminate at the
PE routers while the CE routers perform normal routing. It is the job of the incoming
interface on the PE to determine which forwarding table to use when handling a packet
because each incoming interface on a PE router is associated with a particular VPN. That
shows that a packet can enter a VPN only through an interface that is associated with that
VPN.

Traffic separation occurs without tunneling or encryption because it is built directly
into the network itself. MPLS-VPN uses Multi-protocol BGP extensions to encode
customer IPv4 address prefixes into unique VPN-IPv4 NLRIs. Through the use of the
Extended BGP community attribute the PE routers are able to control the distribution of
these routes. These PE routers also assign a label with each VPN customer route and
share these labels with other PEs, assuring that data packets are directed to the correct
egress CE.

When a data packet is forwarded two labels are used. The top label directs the traffic
to the correct PE router while the second label indicates how the PE should handle that
packet. MPLS then takes over by forwarding the packet across the backbone using
dynamic IP paths or traffic engineered paths.

To simplify things further, standard IP forwarding is used between the PE and CE
routers. The PE has a per-site VRF forwarding table that contains only the set of routes
available to that CE router. The CE router is a routing peer of the PE to which it is
directly connected but is not a routing peer of CE routers at other sites. Routers at
different sites don’t directly exchange routing information with one another. This allows

for very large VPNs to be easily supported while simplifying the routing configuration at
each individual site.

Miercom 6 30 March 01
Copyright

2001, All rights reserved

















Figure 3: MPLS-VPN



Requirements of a Secure Network


When comparing MPLS-VPN based solutions to traditional layer 2 based VPN
solutions such as Frame-Relay and ATM, several key security requirements need to be
addressed.

• It is necessary to have addressing and routing separation.
• The internal structure of the backbone network must be hidden from the
outside. Just as a Frame-Relay or ATM network core is hidden, so must
an MPLS-VPN core.
• The network must have resistance to attacks, both Denial-of-Service
(DoS) and intrusion attacks.

Addressing separation implies that between two non-intersecting VPNs the address
spaces between them are entirely independent. For example two VPNs can use the exact
same address space and not interfere with each other. From the routing perspective this
means that each end system in a VPN has a unique address, so no two sites in the same
VPN share the same address space. ATM and Frame-Relay have no problem
implementing these features, as they never look at the layer 3 information. The
forwarding decision is made on layer 2 based criteria such as DLCIs and VPI/VCI pairs.

Hiding the internal structure of the backbone states that there should be little or no
visibility into the core from outside networks. As there is no layer 3 connectivity
between the customer equipment and the Frame-Relay or ATM switch the only visibility
CE Router
CE Router
CE Router
CE Router
PE Router
PE Router
MPLS-Core